The invention relates to computer security systems and methods, and in particular, to systems and methods for protecting hardware virtualization environments from computer security threats.
Malicious software, also known as malware, affects a great number of computer systems worldwide. In its many forms such as computer viruses, worms, rootkits, and spyware, malware presents a serious risk to millions of computer users, making them vulnerable to loss of data and sensitive information, identity theft, and loss of productivity, among others. Computer security software may be used to protect computer systems from malicious software.
Conventional security software may detect the occurrence of certain events (e.g., system calls, the execution of certain instructions, attempts to access certain resources) during execution of the operating system and/or of various applications on the respective computer system, and determine whether such events are caused by malicious software. Intercepting such events may require intrusive actions, such as modifying certain functions of the operating system (a technique commonly known as hooking). Hooking may be detected and disabled by malicious software, and may create performance and stability problems for the respective computer system.
Hardware virtualization technology allows the creation of simulated computer environments commonly known as virtual machines (VM), which behave in many ways as physical computer systems. In many applications, such as server consolidation and infrastructure-as-a-service, several virtual machines may run simultaneously on the same computer system, sharing hardware resources among them, thus reducing investment and operating costs. Each virtual machine may run its own operating system and/or software applications separately from other virtual machines, and may thus require protection from computer security threats.
The operation of computer security software is typically more complex and computationally expensive when carried out in hardware virtualization environments, compared to non-virtualized environments. In some configurations, security software executes outside the protected virtual machine, thus being inaccessible to malicious software infecting the respective VM. In such cases, the occurrence of various events within the protected VM may need to be detected from outside the respective VM. In conventional hardware virtualization security applications, such detection is typically achieved via hooking. In one such example, the protected VM is configured to suspend execution when a certain event occurs, and to transfer control of the processor to computer security software executing outside the respective VM. After analyzing the event, security software may instruct the processor to resume execution of the respective VM. Such VM suspend/resume cycles may carry a substantial computational expense.
There is a substantial interest in improving the efficiency of computer security operations in hardware virtualization platforms.